Controller/Processor and DPO
Assign topic to the user
Normally most schools collect, names, addresses, birthdays, sex, race, religion, phone numbers, etc. This is not dictated by us, but is relevant to any reporting the school needs to do.
1. Controller/Processor: We are fairly confident that we will need to assume the role of controller and processor.
2. DPO - Again, we believe we will need a DPO or need to assign someone in the company the responsibility of overseeing our GDPR compliance. We have based this decision on the fact that student information saved in our da tabase can be processed by the schools in the form of reports for internal and external purposes.
Based on the information I have included would you agree?
Answer:
For your first questions you cannot be processor and controller for the same processing activity. From the description it seems to me that for the processing activity you mentioned you are a processor and the schools are the controllers because they are the ones deciding the means and purposes for the processing while you are just providing the system which they use.
As for your second question, especially because most of the personal data belongs to minors and because you are also processing sensitive personal data such as religion I would advise you to appoint a DPO.
You can find out more about the tasks of DPO in out article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
I also invite you to go through our online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
Feb 15, 2018